Hi Its mentioned that when we set "auto=route" in a connection entry/record for a ipsec tunnel, the "kernel traps are installed"
In layman's terms and understanding: 1. What exactly are these "kernel traps installed? Can we view what traps are installed? 2. By default "install_routes" is YES, so the routes are added in table 220 which has a higher priority order above the main-routing table 3. So are these routes in table-220 correlated and mapped to the kernel-traps? For e,g with table-220 (install_routes=yes the default option enabled), the following are the sample examples of the routes installed ================================================ For a full-tunnel (localsubnet<>any) spokegw to hubgw ------------------------------------------------------- root@OpenWrt:/etc# ip route show table 220 default via 2.2.2.1 dev eth0 proto static src 192.168.2.253 192.168.2.0/24 dev eth2 scope link root@OpenWrt:/etc# For a site to site tunnel ----------------------- root@openwrt# ip route show table 220 44.44.44.0/24 dev eth0 scope link 172.31.38.0/24 via 44.44.44.254 dev eth0 proto static src 192.168.26.254 On a Remote-Access VPN Client (split-tunnel) --------------------------- root@linuxgw2:~/dump3# ip route show table 220 192.168.6.0/24 via 100.100.100.2 dev eth1 proto static src 10.1.104.100 root@linuxgw2:~/dump3# On a Remote-Access VPN Client (full-tunnel: local<>any) --------------------------- root@OpenWrt:/etc# ip route show table 220 default via 95.1.1.1 dev pppoe-wan proto static src 10.1.5.10 192.168.10.0/24 dev eth2 scope link root@OpenWrt:/etc# ======================================================= Now in later Strongswan versions its been recommended to use "install_routes=NO" So again here too as a kind request, in layman's perspective/view and understanding 1. What happens to the routes that used to be installed earlier in table 220? 2. What effect ,this "non-use of table 220" has on the "kernel-traps" installed....again in this scenario...what kind of kernel-traps are installed? Are they different from when table 220 was enabled...??? Can a user view these traps? 3. With the "install_routes=NO": a) does charon rely ONLY on the "default route" in the main-routing table now? b) Does the config and use of IP-Policy-Routes (with use of IP-Rules and other routing tables defined by user) continue to work in this case and does charon also refer to the policy-routes if configured???? we have these above doubts when we are thinking of moving to "install_routes=no" regime and just use the main-routing table and/or the custom IP-Policy-Routes/IP-Rules (for both IPv4 and IPv6 Tunnels ). Especially when we want to go in for some critical "IP4-Over-IPv6 IPSec Tunnels" scenarios (part of transition to IPv6 networks) regards Rajiv